11192122 - Cybersecurity Training Book

SEMINAR INSTITUTE

Certification Training

“Cybersecurity: Critical Importance of a Strong Security Culture” Training Material

October 19-21, 2022

Southpoint Resort Casino & Spa Las Vegas, Nevada

2022 Cybersecurity: Critical Importance of a Strong Security Culture

MEET THE SPEAKERS

2

3

4

5

6

7

8

9

10

11

Cybersecurity: Critical Importance of a Strong Security Culture October 19 – 21, 2022 South Point Hotel & Casino, Las Vegas, Nevada

AGENDA (Subject to Change)

Wednesday, October 19, 2022

8:00 am – 9:00 am

Breakfast

Welcome/Course Introductions

9:00 am – 9:30 am

Threat Landscape- Overview 2021 to 2022 Trends and Forecast to 2023 Sequoyah Simermeyer, Chairman, National Indian Gaming Commission

9:30 am – 10:30 am

10:30 am – 10:45 am

BREAK

Cybersecurity is a Board Level Leadership Imperative for Building the Security Culture Renita DiStefano, Second Derivative

10:45 am – 12:15 pm

12:15 pm – 1:15 pm

BREAK

Cyber Insurance Landscape - What are the Changes Delane Big Crow, Safety Manager, AMERIND

1:15 pm – 2:00 pm

What are the Crown Jewels that you are Protecting? Data and Data Sovereignty within Tribes Calandra McCool, Big Fire Law & Policy Group

2:00 pm- 2:45 pm

2:45 pm – 3:00 pm

BREAK

Building the Human Firewall Tanja Jacobsen, Director of Security Operations, Cino Security Solutions LLC

3:00 pm – 4:30 pm

Thursday, October 20, 2022

8:00 am – 9:00 am

Breakfast

Mapping the MICS to the NIST Framework Building a Strong Security Foundation Renita DiStefano, President and CEO, Second Derivative LLC

9:00 am – 10:30 am

10:30 am – 10:45 am

BREAK

Essential Elements of a Cybersecurity Compliance Program Jeremy Rasmussen, Chief Technology Officer, Abacode, Inc.

10:45 am – 12:15 pm

12:15 pm – 1:15 pm

BREAK

What is Security as a Service Amit Sharma, Chief Executive Officer, Big Cyber LLC, a BMM Innovation Group Company

1:15 pm – 2:45 pm

2:45 pm – 3:00 pm

BREAK

Digital Payment Security - What You Need to Know Tiger Taylor, Account Executive, Bulletproof a GLI Company Melissa Aarskaug, Vice President of Business Development, Bulletproof a GLI Company

3:00 pm – 4:30 pm

Friday, October 21, 2022

8:00am – 9:00am

Breakfast

Tabletop of an Incident Tanja Jacobsen, Director of Security Operations, Cino Security Solutions LLC Rebecca Fisher, Cyber Security Risk Adviser, Cino Security Solutions LLC

9:00am – 10:30am

10:30am – 10:45am

BREAK

Are you Prepared to Get Hacked? The Role of Incident Response plans in your Overall Business Continuity Planning Tanja Jacobsen, Director of Security Operations, Cino Security Solutions LLC Resources, Takeaways, Recap of Events, and next steps for your organization Rebecca Fisher, Cyber Security Risk Adviser, Cino Security Solutions LLC

10:45 am – 11:45 pm

11:45 am – 12:15 pm

2

NIGC Agency Update On Preparedness And Cyber Indian Gaming Association Cyber Training

National Indian Gaming Commission

E. Sequoyah Simermeyer Commission Chair

Las Vegas, NV October 2022

The National Indian Gaming Commission’s Four Agency-Wide Focus Areas

Industry Integrity Protecting the valuable tool of Indian gaming that in many communities creates jobs, is the lifeblood for tribal programs, and creates opportunities for tribes to explore and strengthen relationships with neighbors. practices and support efficient and effective decision-making to protect tribal assets. Preparedness Promoting tribes’ capacity to plan for risks to tribal gaming assets including natural disaster threats, the need to modernize and enhance regulatory and gaming operation workforces, or public health and safety emergencies. Outreach Cultivating opportunities for outreach to ensure well-informed Indian gaming policy development through diverse relationships, accessible resources, and government-to- government consultation. Agency Accountability Meeting the public’s expectation for administrative processes that uphold good governance

Preparedness

Integrity

Outreach

Accountability

Factors Shaping the NIGC Perspective on Preparedness in the Cyber Security Area

Increasing Sophistication

NIGC’s Reinvestment

Federal Priority

Industry Innovation

Common Goals Among NIGC Cyber Initiatives

Protect gaming’s reputation as a well- regulated industry.

Protect tribal law makers’ ability to set policy goals.

NIGC Cyber Security Awareness In Ocotober www.NIGC.gov

Be Cyber Smart

Have A Plan

Protect Assets

Understand The Goals

The NIGC Year-Long Campaign Promotes #NIGC3For35

Strategic Recruitment

Knowledge Retention

Skills Planning

“Stronger Together”

The NIGC Cyber Security Symposium www.NIGC.gov

Communication Tools

Case Study

Virtual Format

Broad Community

The NIGC Cyber Resource Page Updates www.NIGC.gov

ITVA

Federal Resources

Technical Assistance

NIGC Initiatives

Thank You For Supporting And Following The NIGC’s Outreach And Resource

www.NIGC.gov

Cybersecurity is a Board Level Leadership Imperative for Building the Security Culture

Indian Gaming Association Cybersecurity Training Wednesday, October 19, 2022 10:45 am – 12:15 pm

Welcome

Renita DiStefano - MBA, CISSP, CISM, CRISC, CISA, CSOX, CGEIT

President & CEO – Second Derivative

Cybersecurity is a Top Priority

• The data tells us it’s important • The headlines tell us it’s important • Our colleagues are telling us it’s important • What about YOUR organization?

Cybersecurity is a Top Priority

• Look at the Agendas for top Executive Leadership and Board of Directors meetings • Cyber risk is business risk • If they’re NOT talking about it, why?

• It’s too confusing • It’s too technical

Lorem ipsum dolor sit amet, consectetur adipiscingelit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquipex ea commodoconsequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nullapariatur. Excepteur sintoccaecatcupidatat non proident, sunt in culpa qui officiadeserunt mollit anim id est laborum.

We have to find a way to communicate cyber risk to the Board.

Role of the Board • “to oversee management and to advise management” • “… an overarching and strategic vantage point to ensure the long-term prosperity and survivability of the enterprise.” • “… a legal responsibility to provide effective governance oversight, to ensure that the enterprise is well managed and to provide reasonable protections to its customers, employees, shareholders and business partners (duty of care)”

How that manifests

• Management (C-Level) • Approve Strategy • Approve Budgets • Capital • Operating (FTE’s) • Manage Risk • Competition • Market • Legal • Set the Risk Appetite

The National Association of Corporate Directors (NACD)

Create a Prioritized Cybersecurity Strategy

https://www.nist.gov/cyberframework

https://learn.cisecurity.org/cis-controls-download

Create a Prioritized Cybersecurity Strategy

1. What is a Cybersecurity Strategy? 2. Pick a Framework and assess your organization (Gap Analysis)

• Center for Internet Security (CIS) Critical Controls • National Institute of Standards & Technology (NIST) • Payment Card Industry Data Security Standard (PCI DSS)

3. Download the framework in a “map - able” form like Excel 4. Or, use online tools (CIS CSAT – free web application) 5. Identify Gaps 6. Prioritize 7. Get some help

Use “mapping” to Document What You Have

CIS Control Group 1, Control 1.2, Asset Type = Device, Security Function = Respond Address Unauthorized Assets Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset

My Tribe leverages a Network Access Control solution to allow/deny network connections in real time via 802.1x. Extensible Authentication Protocol (EAP) Chaining is used to chain user and machine authentications together. This protocol ensures that only corporate users can authenticate to the network using a corporate-issued computer. Users and devices are registered in Active Directory to validate authorized users and device.

from the network, deny the asset from connecting remotely to the network, or quarantine the asset.

Something you are. Something you have. Something you know.

Use Mapping to find the Gaps

CIS Control Group 2, Control 2.7, Asset Type = Application, Security Function = Protect

AllowlistAuthorized Scripts

Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

This is a gap.

Create and apply a group policy to restrict execution of unauthorized PowerShell scripts. https://learn.microsoft.com/en- us/powershell/module/microsoft.powe rshell.core/about/about_execution_po licies?view=powershell-7.2

Prioritize

What does it take to do all the Cyber Things?

Culture

Strategy

Who within your organization is in a position to give you those things?

Energy

Money

Talent

Time

Culture Eats Strategy for Lunch

What They Hear • Password Policy

What They See • The Board shouldn’t have to change their passwords. • The laptop is working, we can’t afford to replace it • I went to [conference] and I want to buy this new system. “Shadow IT” • I want a Pixel • I need to use my thumb drive

• Configuration Standard

• Purchasing Standard

• Enterprise Architecture

• Removable Media Policy [ Block USB (flash) Drives]

THAT is why Cybersecurity is a Board Level Imperative

• Culture starts at the Top • The Board is in the BEST position to align resources • The Board sets the tone with their words and actions • If you can communicate

• Strategy • Rationale • Role of the Board • They will be your ally

Questions?

renita@2nd-derivative.com

11/7/22

1

Cyber Insurance Landscape Delane Big Crow AMERIND Safety Services

2

1

11/7/22

Session objectives

What is the importance of Cyber insurance for tribes?

What has increased the risk tribes face?

What do insurance companies look for?

3

What is the importance of Cyber insurance for tribes? • New Risk Factors Post pandemic

• Success of Tribal Businesses • Lack of training for employees • New Technology

4

2

11/7/22

What has increased the risk tribes face?

• Cyber attacks targeting tribes • Remote work • Employee error

5

What do insurance companies look for?

1. Multi-factor Authentication 2. Data Back-up 3. Network Security and Segmentation

6

3

11/7/22

Questions Delane Big Crow dbigcrow@amerind.com 505-313-9335

7

4

What are the Crown Jewels You Are Protecting? Data and Data Sovereignty Within Tribes

Calandra “Callie” McCool Associate Attorney, Big Fire Law & Policy Group, LLP

Intro

• What types of data do casinos have? • What is at stake if there is a data privacy issue? • What can Tribes do to protect themselves? • What other kinds of data are at risk?

Types of Data in Casinos • What kinds of data may casinos have?

Employee Data

Consumer Data

Personally Identifiable Information

Personally Identifiable Information

Biometrics

Video Surveillance

Financial Information

Financial Information

Background Check Information Lists of “Whales”

Gaming Credentials

Marketing Information

Types of Data in Casinos • What kinds of data are considered “Personally Identifiable Information” or PII? • Under the GDPR (General Data Protection Regulation), it is considered to be “any information relating to an identified or identifiable natural person” including “reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. ” Art. 4, Sec. 1.

Types of Data in Casinos

Examples of Personally Identifiable Information

Legal Names

Dates of Birth

Physical Addresses

Email Addresses

Phone Numbers

Passport/State ID Numbers

Social Security/National ID Numbers

Financial Account Numbers

Geolocation Information

IP Addresses

Types of Data in Casinos • Third-party vendors • Businesses are obligated to ensure that third-party vendors who handle sensitive and confidential information are handling it securely. • Otherwise, the company can potentially be held liable for the damages that flow from a data breach.

Answers • Contract drafting and contract review for all vendors and other external workers who could potentially interact with the Tribe’s cyber network. • Contract Code - Drafting and implementing a robust contract code that provides the Tribe the basis to handle vendor contract disputes. • Data Security Code – Implement a code similar to the GDPR/California Consumer Protection Act, include how to address claims against Tribe for violations.

What is at Risk?

LITIGATION

What is at Risk? TRIBAL

SOVEREIGNTY AND SOVEREIGN IMMUNITY

What is at Risk?

Also, Money.

A lot of money that is essential for Tribal operations and programs.

Potential Legal Liability

• IGRA and NIGC regulations have heightened security requirements.

• For example, if a tribe with Class II gaming is found to be non- compliant, civil fines are possible, not to exceed $52,596 per count, “against a tribe, management contractor, or individual operating Indian gaming”; the amount of the fine for each count is determined by a set of factors outlined in the CFR. 25 C.F.R. § 543.20.

Potential Legal Liability • FTC Act § 5 Compliance • Section five of the Federal Trade Commission Act (FTCA) applies to privacy law in that it addresses unfair and deceptive trade practices. The operating language states that “[u] nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful. ” 15 U.S.C. § 45 (2012). • This statute has been used to hold companies liable for failing to provide the level of cybersecurity and data protection that they advertised. • 2021: FTC rescinded 2015 policy limiting FTCA enforcement ability.

Potential Legal Liability • Gramm-Leach-Bliley Act Liability • If the gaming operation collects information about consumers for the purposes of extending or arranging a line of credit, the privacy requirements of the Gramm-Leach-Bliley Act are triggered. • While this is not much of an issue with most casino gaming activities, there are possible implications for sportsbooks and sports betting, especially depending on tribal-state agreement terms.

Gold Standard • The GDPR is the European Union’s cybersecurity law that regulates how companies can collect and process consumer data. • The GDPR is already the standard for global commerce. • California has adopted its own, more expansive version called the California Consumer Protection Act • For example, CA residents have the right to access gathered information and delete or opt out of the sale of their information

Gold Standard • Companies that regularly participate in commerce with European countries have already implemented GDPR required security measures in order to continue working with those clients • Earlier this month, President Biden signed an Executive Order outlining the United States’ plan to meet the terms of the new EU- U.S. Data Privacy Framework, a replacement for the EU-U.S. Privacy Shield that was struck down by the Court of Justice of the EU. • While this Executive Order does not fully implement the GDPR personal information standard in the United States, it is only a matter of time until that is the industry standard here as well.

Remember TRIBES HAVE THE POWER! TO LEGISLATE!

What Other Risks? • Depending on how “successful” the attack is, there are risks to the rest of the Tribe’s digital assets, which can leave the Tribe vulnerable in a lot of ways. • Additional legal liability under HIPAA-HITECH • Threat to infrastructure stability • Illegal access to legal, medical, police records, intellectual property, PII of enrolled members • Access to cultural knowledge and resources not meant for public access

More Answers

• Segmenting networks • Data Sovereignty Code – Codify use, control, access requirements for Tribal resources • Tribal or third-party Internal Review Boards (IRBs) • Resource Access Restrictions

• Limitations on Use of Materials • Restriction on Internet Resources

Other Data in Danger • Infrastructure Controls • Statistical Information • Language Resources • Medical Data

• Legal Records • Police Records • Physical Artifacts and Digital Records of Same • Sacred Items • Plant Knowledge/Traditional Medicinal Knowledge • Geological/Mineral Information • Hydrological Information • Sacred Site and Grave Site Locations • Stories and Music • Art • AND MORE

• Medical Samples • Genetic Material

• Plant/Animal Specimens • Genealogy and Enrollment Records • Cultural Resource Materials • Archives including Recorded Audio and Video, Elder Interviews • Copyrights and Trademarks

Additional Threats

• Private Companies Want Native Data • Medicines • Ex. Malarial medications • Seeds/grains • Ex. Basmati RiceTech Lawsuits • Pretendians and Fake Tribes • Access to genealogical information • Human genomic data

Considerations • What concerns does your Tribe have regarding their other data?

• Protection of sacred knowledge, stories, art, other IP • Protection of medical data/research data/genomics • Protection of linguistic and cultural assets

Considerations “I have a rule when quoting elders and traditional leaders in a book. Basically, the story belongs to them, and so I do not want to be the first person to put a story in print. I therefore try to find published account that confirms what an elder has told me and use that version instead of the tradition is related to me by the elder. Thus, there are a considerable number of stories that I could have put into this book that will not appear until the elders themselves authorize them to be published.” Red Earth, White Lies, Vine Deloria Jr. at xv.

Considerations • Each Tribe gets to Decide How Restrictive Each Protection Is Individually • Each Tribe has Different Concerns • Specialized Provisions to Address Specific Concerns Bolster Tribal Data Sovereignty Statutes

Questions?

Calandra “Callie” McCool cmccool@bigfirelaw.com Office: 531.466.8725 Direct: 405.639.9811

PC: TE-5013-1

Tanja Jacobsen, MBA, MS, PMP, CISSP

Speakers 

Tanja Jacobsen, MBA, MS, PMP, ACP  Marketing & Cyber Security Executive  Webroot Cybersecurity Solutions Sales Certified

 15+ years of digital and traditional marketing, IT, and project management experience  MS in Cybersecurity, Cyber Policy and Risk Management as well as degree in Counter-Intelligence and Cyber Operations

Fortune 1000, SMB, Education

 Hofstra and SNHU (Southern New Hampshire University) University Course Developer and Instructor

Volunteer Firemedic, EMT

Average Cost of Cyber Attacks

Cyber attacks are now the number one external risk factor facing businesses according to 23.1% of 39 CNBC CFOs Survey report

It only takes one click to lose millions!

Did you know…

Straight from headlines:

“We regret to inform you, but your financial data might have been stolen.”

A scene straight out of your worst nightmare. It’s something that giant auditing firm Deloitte and a small Connecticut-based accounting firm had to deal with when they were hacked. Data breaches affect firms of all sizes, reiterating that the need for stronger cybersecurity for accounting firms is more real — and pressing — than ever.

Cybersecurity threats by the numbers

 Jack Dorsey’s Crypto Organization Suffers an Embarrassing Hack! Financial Data Compromised  In 2016, 3B Yahoo accounts were hacked in one of the biggest breaches of all time. (Oath.com)  In 2019, First American Financial Corporation leaked 885 million users sensitive records dating back more than 16 years (Upgard.com)  In 2019 2/3rds of Facebook app datasets were exposed to the public Internet, over 533 million records (Upgard.com)  In 2021 more than 700 million LinkedIn user information was posted for sale on the Dark Web forum (Upgard.com)  In 2016, reported that hackers stole the information of over 57M riders and drivers. (Uber)  In 2017, 412M user accounts were stolen from Friendfinder’s sites. (LeakedSource)  In 2017, 147.9M consumers were affected by the Equifax Breach. (Equifax)  According to 2017 statistics, there are over 130 large-scale, targeted breaches in the U.S. per year, and that number is growing by 27 percent per year. (Accenture)  31% of organizations have experienced cyber attacks on operational technology infrastructure. (Cisco)  100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4B. (Malware Tech Blog)  Attacks involving cryptojacking increased by 8,500% in 2017. (Symantec)  In 2017, 5.4B attacks by the WannaCry virus were blocked. (Symantec)  In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7M . (Accenture)  The average cost of a malware attack on a company is $2.4M . (Accenture)  The average cost in time of a malware attack is 50 days . (Accenture)  From 2016 to 2017 there was an 22.7% increase in cybersecurity costs . (Accenture)  The most expensive component of a cyber attack is information loss, which represents 43% of costs. (Accenture)  Ransomware damage costs exceed $5B in 2017, 15X the cost in 2015. (CSO Online)  Massive data breach hits Capital One, affecting more than 100 million customers (social security numbers, banking information and more exposed!)

How many of you

 Connected to the hotel free Wi-Fi?

What is Human Firewall?

 People that follow best practices to prevent as well as report any data breaches or suspicious activity

Human Firewall weaknesses

 Phishing attacks  Shoulder surfing  Untrained employees  Data Theft/loss  Malware

Combating Human Firewall Weaknesses  Remain aware of your surroundings when using a VPN  When in a public space, find a secluded or discreet area to enter private information into your device  Save passwords with a password manager (so you log in to accounts while revealing minimal info)  Activate two-factor (aka multi-factor) authentication on any account that prevent others from using your password to access your account  Don’t share passwords – ever!  Use a privacy screen or transparent screen cover that reduces viewing angles when using your devices in public

How to Avoid being Hacked

 Multi-Factor Authentication  Get a Password Manager

 Learn how to spot a Phishing Attack  Update everything (Software, Phone OS..)  Encrypt everything  Wipe your Digital Footprint

Multi-Factor Authentication (MFA)

Password Management

 Best Overall: LastPass.  Best for Extra Security Features: Dashlane.  Best Multi-Device Platform: LogMeOnce.  Best Free Option: Bitwarden.  Best for New Users: RememBear.  Best for Families: 1Password.  Best Enterprise-Level Manager: Keeper.

Don’t store all your passwords…

 In your browser (like Google Chrome)  Why?  If your Google Chrome gets hacked, bad actors get access to ALL your passwords!

Beware of Bogus Invoices!

1. Middle market companies lose on average $300K in invoice fraud annually 2. It happens frequently but people don’t talk about it because its embarrassing 3. Only 1 in 4 finance executives can even estimate how much invoice fraud is costing their businesses 4. Common frauds are illegitimate vendors, invoice spoofing/fake invoices, & intercepting of mailed checks

Beware the ads you click on!

 Malvertising = malware  Can have

passwords stolen

 Files deleted  Use your PC resources  Render your devices as inoperable

Avoid getting Phished

Did you know

 Roughly 7 phishing attacks occur every minutes  Deceptive emails  Websites  Text messages  Attackers are adjusting their methods to compromise entire email services  Attackers can abuse legitimate contact forms on websites to send emails  Fake reply emails such as gift card scams (trick users into thinking they were expecting their emails)

Emails – Phishing Risk 91% of Cyber attacks start with a phishing email…

Top reason people are duped by phishing emails • Curiosity 13.7% • Fear 13.4% • Urgency 13.2% • Reward/recognition, social, entertainment and opportunity

Phishing Samples

Phishing Samples cont’d

Phishing Samples cont’d

Phishing Samples cont’d

Phishing Samples cont’d

Phishing Samples cont’d

Phishing Samples cont’d

Phishing Samples cont’d

Phishing Samples cont’d

Phishing Samples

Latest Google Phishing scam

One way to avoid phishing scams

Reduce risk to phishing by

 Always use spam and phishing filters  Watch out for grammar errors and strange email addresses  Do NOT tap or click on any unknown links or email attachments  Rotate passwords regularly  Don’t be tempted by pop ups…

Trust but verify…

 Malicious emails come from trusted vendors or supplier’s legitimate email address,  likely won’t be flagged by a secure email gateway as suspicious  Data found that account takeover comprised 2% of malicious emails analyzed

Update everything…

 Fix software and applications  Patch management  Create a more secure environment  Experience improved feature/functionality

Patch/Update OS/SW process

 Have current inventory of all systems  Device a plan  Have list of security controls (firewalls, antivirus and vulnerability management tools – run scans…)  Compare vulnerability report against inventory to understand security risks  Classify (and prioritize) risk  Test (apply patches in test environment)  Apply patches

Encryption best practices

Never send sensitive information across email Keep your encryption key secure

Have secure storage

Use automation

Access and audit logs

Backups

Have encryption key life cycle management

Caution: Third-party integration Rule of Least Privilege

Terminate of legacy (unused) keys

Zero Trust

Managing your digital footprint

Look yourself up online List down all your accounts

Use privacy settings

Keep things professional Keep your profile up to date

Don’t overshare

Delete unflattering content Check your browser for cookies

Update your software

Use digital tools (anti-tracking tools, privacy search engines or anonymous browsers)

IoT

 Cell Phones  iPads  FitBits or other sports activity devices  Medical Devices

Common IoT Cyber Risks

 Poor Data Protection  Poor Password Protection  Unpatched Devices  Poor IoT Device Management  IoT Skills Gaps

IoT Did you know…

Common IoT types of Cyber Attacks

 DDoS  Firmware exploits  Man-in-the-middle  Data interception  Physical attacks  Brute force attacks  Unauthorized access  Ransomware  Radio frequency jamming

Did you know…

 Electric Vehicles could have risk

 Digital components = lots of data

Questions

Tanja.Jacobsen@outlook.com www.cinoltd.com (516) 932-0317 x309

Mapping the MICS to the NIST Framework Building a Strong Security Foundation

Indian Gaming Association Cybersecurity Training Thursday, October 20, 2022 9:00 am – 10:30 am

Welcome

Renita DiStefano - MBA, CISSP, CISM, CRISC, CISA, CSOX, CGEIT President & CEO – Second Derivative

Untangling the Myriad of Standards & Regulations

Side by Side – They All Have the Same Elements

https://www.nist.gov/cyberframework

https://learn.cisecurity.org/cis-controls-download

The Good News

• They all have common requirements • They can be “mapped” • Policies, Procedures & Standards are the Foundation of any Information Security & Assurance Program • Don’t Start from Scratch!

• Solve for one, extend to many • Assurance: Make it Audit-Proof

Common Requirements & Mapping: Function : NIST PROTECT (PR) Category : Identity Management, Authentication and Access Control (PR.AC) Description : Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

Policies, Procedures & Standards are the Foundation of any Information Security & Assurance Program

Establishes the Following:

• Who: Roles & Responsibilities • What: Policy & Standards • Where: Scope • When: Frequency, Timing • Why: Rationale • How: Standard Operating Procedure (technical details)

Don’t Start from Scratch!

Examples of Compensating Controls 1. Privileged Account Management (PAM) System 2. Just-in-Time Access (disabled until requested) 3. Random-generated, complex password assigned at creation 4. Limit the number of connections 5. Limit WHERE the account can authenticate from (ip address) 6. Limit the ability to get an interactive session 7. Limit command line access 8. Limit the ability to change it’s own password 9. Give the process visibility 10. Include IT 11. Secure authentication protocols

Configuration Management

1. Adopt a Standard https://www.cisecurity.org/cis- benchmarks/ 2. Download the CIS Hardened Image 3. Adjust to create your “Golden Image” 4. Operationalize with your build system 5. Cycle the “Golden Image” into Patch Cycle 6. Train, Train, Train 7. Combines Process, Technology and People

CIS Hardened Images® are securely configured according to applicable CIS Benchmarks™.

Why did I pick those two examples?

Assurance: Make it Secure, Make it Audit-Proof

Administrative Control

Control Activity

Outcome

Compliance team member checks the ticketing system to ensure that the privileged account has been properly authorized and that it has the correct privileges and compensating controls. Team member updates the ticket with their results and assigns the ticket to a manager (or above) for closure/follow up. Manager reviews and closes/follows up as appropriate. Potential: identify a gap in an upstream process or a performance opportunity. Systems thinking approach.

Standard Operating Procedure: Authorization of Privileged Accounts

[your tool] will monitor the Active Directory “Domain Admins” organizational unit and send real-time text message and email alerts to [compliance@yourtribe.com] to notify when a privileged account has just been created by [Administrator Name] at [ MM/DD/YY, HH:MM:SS]. Email notification will be sent to [Compliance@yourtribe.com] and [helpdesk@yourtribe.com] which will automatically create a ticket in your support desk software and assign it to [compliance group]. The ticketing system will send an email to compliance@yourtribe.com, which will notify a distribution group that a ticket has been assigned for follow up.

Assurance: Make it Secure, Make it Audit-Proof

Administrative Control

Control Activity

Outcome

Encryption Standard: Laptops will be encrypted

On the first day of each quarter (Jan 1, April 1, July 1, Oct 1) [your tool] will check all laptops (AD Organizational Unit OU) to make sure they are encrypted. A list of laptops that fail the encryption check will be emailed to [helpdesk@yourtribe.com] which will automatically create a ticket in your support desk software and assign it to [administrator’s group]. The ticketing system will send an email to admins@yourtribe.com which will notify a distribution group that a ticket has been assigned for follow up.

Administrators perform follow up and resolve. They update the ticket with their results. Extra: re-run the encryption check until there are zero fails. Potential: identify a gap in an upstream process i.e. deployment process. Systems thinking approach.

Questions?

renita@2nd-derivative.com

Essential Elements of a

Fully Managed Cybersecurity and Compliance Program

About Jeremy • Chief Technology Officer and Partner of Abacode, Inc. , a Tampa, Florida based company that provides managed cybersecurity and compliance programs to businesses across all industries.

• Adjunct professor at the University of South Florida and founder of the USF Whitehatters Computer Security Club. • Taught courses in cryptography & network security, ethical hacking, digital forensics & investigations, and mobile & wireless security. • Have performed research & development of cyber solutions and built cyber services teams for government and commercial customers for 30 years. • Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). • Named 2017 Tampa Bay Technology Leader of the Year.

linkedin.com/JeremyLRasmussen

@jeremycec

Cybersecurity Awareness Month Tip of the Day

What are DMARC, DKIM, and SPF? Important security settings in your Domain Name Service (DNS) record that should be configured to keep phishing attackers from sending emails that appear as if they are coming from your domain. DNS is the Internet service that maps domains names, e.g., yngc.com to 45.79.103.37. If DMARC, DKIM, and SPF are set, then someone from 131.247.100.1 cannot send an email from chief@yngc.com without it being disregarded by mail servers.

Use https://mxtoolbox.com to check yours!

Problem statement

1. BEST PRACTICES. Agencies need to implement controls to protect data and networks, aligned with a best practices framework – e.g., NIST CSF. 2. HIRING. Finding, hiring, and retaining cyber talent has proven difficult. E.g., half of Florida state cyber positions are vacant. 3. EXACERBATING ISSUES. rampant ransomware, nation-state gathering/disruption efforts, rising cyber breach insurance costs and underwriting requirements, etc.

The Three C’s we need to address

External Forces Driving Cybersecurity Compliance Requirements

Clients / Partners

Audit & Attestation Requests

Insurance Underwriters

Industry & Regulatory

States with passed or pending privacy regulation

CUSTOMER

• Prospects and Clients expect a level of data protection • Potential for lost revenue • Contractual obligations • As a provider, you must adhere to standards • Contractual commitment • Industry, state, and federal data protection regulations are increasing across the board Result: Compliance product and Cybersecurity product overload

6

Confidential and proprietary. © Copyright 2022 Abacode. All rights reserved.

Best practices alignment: NIST Cyber Security Framework (CSF) • Identify your critical data & assets (what, where, how, etc.) • Protect your critical data & assets (encryption, multifactor authentication, data loss prevention, etc.) • Detect cyber threats through instrumentation, telemetry, and analysis • Respond to cyber threats in a timely manner to contain & constrain • Recover from incidents by closing the loop on issues and improving for the future

Proposed Solution: Continuous Security & Compliance

Features: • 24/7/365 “eyes on glass” MDR/XDR/EDR/SOAR, threat hunting, and compliance monitoring • Integrated Portal - Compliance & Cybersecurity • Consolidated reporting • Mapped to critical compliance controls • Turnkey program built for flexibility Benefits: • Compliance & cybersecurity integrated into ONE managed program • Continuous cybersecurity & compliance monitoring • Entire team of cybersecurity & compliance experts for a fraction of the cost • Continuous compliance attestation for auditors, prospects, clients, partners, and supply-chain

8

Continuous Cybersecurity and Compliance

Continuous Monitoring: 24/7 SIEM/SOC Services

NIST Cybersecurity Framework Elements: • Detect

• Respond • Recover

10

SIEM / XDR technologies Some examples: • AT&T Cybersecurity USM Anywhere • IBM QRadar • Elasticsearch, Logstash, and Kibana (ELK) • LogRhythm • Stellar Cyber

• Splunk Enterprise Security

Service manager provides either:

1. Fully managed turnkey solution – software licensing, hardware (as required), and labor 2. Co-managed solution – utilizing your existing environment; they provide vSOC monitoring labor

11

Sample SIEM deployment with USM Anywhere

U.S.-Based Security Operation Centers Las Vegas, NV and Tampa, FL

URLS Malware Hashes

Security Stack Solutions: Endpoint Protection Cloud Gateway Security Next-gen Firewalls Email Security Etc.

Domains IP Addresses

AT&T Cybersecurity USM Anywhere

Abacode Compliance Portal

12

Security Events – Log Source Examples

Public Cloud

On-Prem / Security

End Points

SaaS

Continuous monitoring overview

Tier 1: Eyes-on-glass 24/7/365

Tier 2: Escalations

Initial analysis & triage

Recommended actions & response

Tier 3: Advanced Threat Hunting

Tier 2: Active Response

Depends on complexity and potential impact

Managed response actions

14

Deep-dive analysis, threat hunting, active response

Conti Ransomware ATT&CK Signatures: 1. Initial access: phishing, remote desktop exploit, unpatched systems. 2. Execution: Windows command line; API calls 3. Persistence: stolen account creds; external connections (e.g., VPN or Citrix). 4. Privilege escalation: Encrypted DLL injection 5. Defense evasion: encryption; obfuscation 6. Credential Access: Mimikatz or other 7. Discovery: enumerates network connections; retrieves ARP cache 8. Lateral movement: taints network shared drives; spreads via SMB 9. C&C: hard-coded IPs via HTTP. 10. Collection & exfil: 7Zip & WinSCP to cloud. 11. Impact: AES-256-bit encryption 12. Impact: stops 146 Windows services related to security, backups using net stop . 13. Impact: deletes Windows Volume Shadow Copies using vssadmin .

MITRE ATT&CK Framework/ Cyber Kill Chain

15

Abacode’s approach to fully managed Cybersecurity & Compliance

What is Security as a Service? Cybersecurity: Critical Importance of a Strong Security Culture

Amit Sharma Chief Executive Officer BMM Innovation Group

company confidential

Agenda

§ Definitions § The Cyber Challenges § The Risks § Can Security as a Service Help? § Advantages / Disadvantages

company confidential

Definitions Managed Security Services A general term for any security tasks or processes that you outsource to a third-party (e.g., managing user access, operating a SIEM or SOC, etc.)

Security as a Service (SECaaS ) Another term for Managed Security Services

SOC as a Service A Security Operations Center (SOC) is where all security alerts, security incidents, security intrusions, etc., are monitored and triaged. In this case, this would be done by an external third-party.

SIEM as a Service A Security Incident Event Management tool is a piece of software that collects security alerts and events into a central location for faster and improved analysis. Like a SOC, the operation and oversight of a SIEM can be outsourced to a third-party.

company confidential

The Challenges

company confidential

The Business Challenge Today, all organizations, businesses, governments, individuals and any other entity must accept that they can be a target of cybercrime . Cybercriminals evolve their techniques and methods on a daily basis and are sometimes even state-sponsored. How can your organization maintain currency with the latest cyber attack and defense techniques in order to reduce the risks to the organization? How can this be done while still carrying on your core business operations?

Technical Challenge

Timely application of patches, updates, and fixes

Attacks on cloud- based infrastructure, data, or applications

Social engineering attacks like phishing

Ransomware attacks

Can your team stay on top of all of this on their own?

AI-based cyberattack tools

Insider risks

Remote working

company confidential

The Evolution of Cyber Threats and Their Solutions

The People Challenge

People as the cyberattack vector Cybersecurity education for staff keeps coming up as an area of high risk in annual security white papers. Phishing , Vishing (telephone calls), and Smishing (SMS phishing) are all being used by attackers to target your employees daily.

Security staffing

Staff retention Keeping your security knowledgeable staff is challenging in the current job market

The global shortage of qualified security personnel drives a need to look for other options to help

company confidential

Compliance Challenge Security standards and frameworks are evolving and some have added requirements around ensuring you are collecting security information, analyzing that information, monitoring for security events and responding to all of these security data/events.

ISO 27002

PCI-DSS

NIST SP 800-137

company confidential

The Risks

company confidential

The Business Risks

https://www.sec.gov/rules/proposed/2022/33-11038.pdf

company confidential

Financial and Business Implications

• 83% of organizations reported more than one data breach. • Average data breach cost was $4.35 million . • Average cost of a ransomware attack was $4.54 million . • On average, it took 207 days to identify a data breach and 70 more to contain it .

• Stolen account credentials took 327 days on average to identify and contain. • Breaches cost about $1 million more for companies that had a large share of remote employees (80% vs 20%). • 1 in 5 breaches were caused by stolen or compromised logins .

Source: IBM 2022 Cost of a Data Breach Report

company confidential

People Stats Cybercriminals use social engineering in 98% of attacks .

There are 75 times as many phishing websites as malware sites. 75% of companies worldwide were victims of phishing in 2020. With 241,342 successful incidents, phishing was the most common cybercrime in 2020 in the US. A ransomware attack is successful every 11 seconds . In 2019, the cost per compromised record was $150 on average. The US government allocated nearly $19 billion for cybersecurity in 2021.* * https://webtribunal.net/blog/social-engineering-statistics/#gref

How can SECaaS Help?

company confidential

Managed SOC / SIEM Platform Data Loss Prevention Business Continuity / Disaster Recovery Forensic Analysis, Threat Hunting Risk Assesments and simulations Education and Training Incident Response Anti Phising CISO as a Service, vCISO Etc…

Types of Services

company confidential

Business Advantages

COST SAVINGS

LATEST SECURITY TOOLS AND UPDATES

FASTER PROVISIONING AND GREATER AGILITY

FREE UP RESOURCES

EXPERTS IN THE FIELD

company confidential

Risk Management: Security Professional Services Security Management System

Policy / Standard / Process Assistance

Training for Security Staff

24/7/365 Active Monitoring

Assessments, Vulnerability. Penetration Testing

Security Audit Preparation

vCISO

company confidential

A Managed SOC/SIEM service

• Monitors for Indicators of Compromise (IoC) rather than specific security event types this is the most resilient way forward for risk reduction. • Can utilize Artificial Intelligence (AI) to assist with IoC analysis and reduce the response time to security events. • Threat Intelligence analysis can be included. • Ensures your security staff stay security aware 24/7/365 with a SOC that is staffed and operational at all times. • Can pre-process security events to reduce false positives. • A qualified SOC team can provide list of actions for resolving security events. • Reduces in house workload • Provides expert level professionals

company confidential

BIG Cyber Multi-Layered and Multi-Dimensional Security

Security Awareness Security Support

PEOPLE

BIG Cyber Education and Training

ISMS Risk Management Security Management Secure Processes

PROCESS

BIG Cyber Expert Security Consulting Services

IT Infrastructure

TECHNOLOGY

BIG Cyber 24/7/365 Active Monitoring

company confidential

Certifications, Experience, and Expertise Certifications

CISA, CISM, CISSP, CGEIT, PCIP, CIPP/C, ITIL, MCSE, ISO 270001 Master, CRISC, CDPSE, CTT+, CBCP, C|CISO, ISO 27002, ISO 38500, OSCP, CEH, ISO 27005, ISO 27032, and more! Experience Lottery & Gaming, iGaming, Law Enforcement, Health Care, Government, Utilities, Manufacturing, Retail… Security Expertise ISACA Chapter Board Member, Canada Standards Council Committee Member, Cloud Security Alliance Committee Member...

company confidential

Amit Sharma CEO

company confidential

DIGITAL PAYMENT SECURITY

WHAT YOU NEED TO KNOW

PRESENTED BY: MELISSA AARSKAUG & TIGER TAYLOR

✓ Introduction + About Bulletproof

✓ Growth in Cybercrime + Technology

TODAY’S

✓ A Deeper Dive into Digital Payment

AGENDA

✓ How To Address Digital Payment Security Challenges

✓ Key Takeaways/Q&A Session

INTRODUCTION INTRODUCTION

TIGER TAYLOR Account Executive

MELISSA AARSKAUG VP, Business Development

✓ 17+ Years of tribal + gaming experience [Cherokee Tribal Member]

✓ 11+ Years of Cybersecurity Experience

✓ Experience working with tribes, gaming, government, state agencies, + more

✓ Dedicated to serving tribal nations with complex IT, security, + compliance challenges

✓ Committed to helping our clients solve their challenges

✓ Technical experience

ABOUT BULLETPROOF

2+ Global

SOC

STATE-OF-THE-ART

FOOTPRINT

DECADES

EXPERIENCE

BULLETPROOF SERVICES:

Managed Services | Managed Security Services | Cybersecurity Services | Professional Services | Cloud Consulting

BULLETPROOF OFFICE LOCATIONS

HEADQUARTERS FREDERICTON, NB

BULLETPROOF CREDENTIALS

5X

GOLD 11

2021

MISA

IMPACT AWARD WINNER

GLOBAL SECURITY PARTNER OF THE YEAR

PROUD

COMPETENCIES

MEMBER

Global

Microsoft Partner of the Year Winner Security

Awarded for demonstrating excellence in innovation and implementation of customer end-to-end security solutions based on Microsoft technology globally.

THE MARKET: GROWTH IN CYBERCRIME + TECHNOLOGY

• The average data breach takes 277 days to be identified + contained.

• The 2022 average total cost of a data breach is $4.35M USD .

GROWTH IN CYBERCRIME

• Tribes that collect sensitive data & information are prime targets.

• Increased adoption of digital payment consumer drives demand.

• Digital payment is a method consumers can use to make a payment that’s quick, convenient, + safe.

GROWTH IN TECHNOLOGY + DIGITAL PAYMENT

• Payment security market expected to reach $54.1B by 2028.*

• New technology = New risk

• Organizational changes due to COVID + an accelerated digital workforce • Global impact on retaining cybersecurity talent • Shifting from on-premise to hybrid/cloud- only model • Keeping up with security posture management • Increase in cybersecurity insurance premium • Data management & privacy (PII/KYC)

MODERN TRIBAL CYBERSECURITY CHALLENGES

THE RISE OF THE CYBERCRIME GIG ECONOMY

Cybercrime used to be the domain of skilled hackers. This is no longer true.

Ransomware is a Booming Business The average ransomware demand climbed to $200K.

Any device that is connected is a target.

Page 1 Page 2-3 Page 4-5 Page 6-7 Page 8-9 Page 10-11 Page 12-13 Page 14-15 Page 16-17 Page 18-19 Page 20-21 Page 22-23 Page 24 Page 25 Page 26-27 Page 28-29 Page 30-31 Page 32-33 Page 34-35 Page 36-37 Page 38-39 Page 40-41 Page 42-43 Page 44-45 Page 46-47 Page 48-49 Page 50-51 Page 52-53 Page 54-55 Page 56-57 Page 58-59 Page 60-61 Page 62-63 Page 64-65 Page 66-67 Page 68-69 Page 70-71 Page 72-73 Page 74-75 Page 76 Page 77 Page 78 Page 79 Page 80-81 Page 82-83 Page 84-85 Page 86-87 Page 88-89 Page 90-91 Page 92-93 Page 94-95 Page 96-97 Page 98-99 Page 100-101 Page 102-103 Page 104-105 Page 106-107 Page 108-109 Page 110-111 Page 112-113 Page 114-115 Page 116-117 Page 118-119 Page 120-121 Page 122-123 Page 124-125 Page 126-127 Page 128-129 Page 130-131 Page 132-133 Page 134-135 Page 136-137 Page 138-139 Page 140-141 Page 142-143 Page 144-145 Page 146-147 Page 148-149 Page 150-151 Page 152-153 Page 154-155 Page 156-157 Page 158-159 Page 160-161 Page 162-163 Page 164-165 Page 166-167 Page 168-169 Page 170-171 Page 172-173 Page 174-175 Page 176-177 Page 178-179 Page 180-181 Page 182-183 Page 184-185 Page 186-187 Page 188-189 Page 190-191 Page 192-193 Page 194-195 Page 196-197 Page 198-199 Page 200-201 Page 202-203 Page 204-205 Page 206-207 Page 208-209 Page 210-211 Page 212-213 Page 214-215 Page 216-217 Page 218-219 Page 220-221 Page 222-223 Page 224-225 Page 226-227 Page 228-229 Page 230-231 Page 232-233 Page 234-235 Page 236-237 Page 238-239 Page 240-241 Page 242-243 Page 244-245 Page 246-247 Page 248-249 Page 250-251 Page 252-253 Page 254-255 Page 256-257 Page 258-259 Page 260-261 Page 262-263 Page 264-265 Page 266-267 Page 268-269 Page 270-271 Page 272-273 Page 274-275 Page 276-277 Page 278-279 Page 280-281 Page 282-283 Page 284-285 Page 286-287 Page 288-289 Page 290-291 Page 292-293 Page 294-295 Page 296-297 Page 298-299 Page 300-301 Page 302-303 Page 304-305 Page 306-307 Page 308-309 Page 310-311 Page 312-313 Page 314-315 Page 316-317 Page 318-319 Page 320-321 Page 322-323 Page 324-325 Page 326-327 Page 328-329 Page 330-331 Page 332-333 Page 334-335 Page 336-337 Page 338-339 Page 340-341 Page 342-343 Page 344-345 Page 346-347 Page 348-349 Page 350-351 Page 352-353 Page 354-355 Page 356-357 Page 358-359 Page 360-361 Page 362-363 Page 364-365 Page 366-367 Page 368-369 Page 370-371 Page 372-373 Page 374-375 Page 376-377 Page 378-379 Page 380-381 Page 382-383 Page 384-385 Page 386-387 Page 388-389 Page 390-391 Page 392-393

Made with FlippingBook - Online catalogs